PLUSManaged: Validating Time-Limited and Subscription Licenses

Validating time-limited licenses is simple in principle. To do this you can simply check to make sure the system's current date (DateTime.UtcNow.Date) is not past the license file's EffectiveEndDate. However, the tricky part is checking to make sure your application can trust the licensed system is reporting a reasonably accurate date. PLUSManaged offers a variety of ways to validate the system's date, and it is up to you to pick and chose the methods most appropriate and reliable for your application based upon its needs and the expectations of the environments in which the application will run. If your licensing requirements never impose any time limits, then you may not need to worry about validating the licensed system's clock (although it would still be good to read through and understand the subject for future reference).

Local Validation

Local validations are validations or checks your application can perform to prevent system clock tampering. PLUSManaged offers a number of pieces of information and validation objects that you can use.

API Tampering

Regardless of whether or not .NET is being used, your application will ultimately end up making calls to Windows API functions to get the system's date and time. There are some tools available (such as "Time Stopper" or "RunAsDate"), which essentially take the place of these Windows API functions in your application (via function hooking) and send an altered date to your application. Unfortunately, this type of hack is very impractical to prevent without being very invasive. However, the good news is that detecting this type of hack is generally very easy, as these types of tools generally result in the underlying APIs always returning the same time. PLUSManaged makes this very easy to detect and react to by adding code that uses the SystemClockValidation to your license implementation's Validate method as shown in the example below.

C#: SystemClockValidation clockValidation = new SystemClockValidation();
if (!clockValidation.Validate())
{
this.LastError = clockValidation.LastError;
return false;
}
VB.NET: Dim clockValidation As New SystemClockValidation()
If Not clockValidation.Validate() Then
Me.LastError = clockValidation.LastError
Return False
End If

Evaluating Date Properties

There are several properties inherited in your license implementation class that you can evaluate to prevent system clock tampering. These properties include:

EffectiveStartDate is the date and time which the license was issued. If the system clock predate the value stored here, the application should treat the license as being invalid or expired.
EffectiveEndDate is the date and time which the license expires. Any time-limited license should only be treated as a valid license when the system clock predates or equals this property's value. If the system clock shows a date and time that occurs after the date stored in this property, the application should treat the license as being expired.
SignatureDate is the date and time which SOLO Server signed the license file which was loaded by the application. If the system clock predates the value stored in this property's value, the application should treat the license as being invalid or expired.
LastUpdated is the date and time which a writable license was written, and can therefore only be used with writable license files. If the system clock predates the value stored in this property's value, the application should treat the license as being invalid or expired.

Enforcing Time Limitations

When using a time-limited license, PLUSManaged includes a LicenseEffectiveDateValidation class that your application can leverage to validate the EffectiveStartDate, EffectiveEndDate, and SignatureDate properties. The example below shows how your application can validate these dates (and this code excerpt assumes it is in a method in your license implementation class, as the keyword this/Me represents a License object).

C#: LicenseEffectiveDateValidation dateValidation = new LicenseEffectiveDateValidation(this);
if (!dateValidation.Validate())
{
this.LastError = dateValidation.LastError;
return false;
}
VB.NET: Dim dateValidation As New LicenseEffectiveDateValidation(Me)
If Not dateValidation.Validate() Then
Me.LastError = dateValidation.LastError
Return False
End If

Alias Validation

When using a writable license (regardless of whether or not it is time-limited), it is always best to validate the LastUpdated property on the license file and aliases to ensure a backup of the license file has not been restored, and that the system clock has not been back-dated. To help simplify the process of validating the aliases, PLUSManaged includes a LicenseAliasValidation that your application may use when validating the license and/or its aliases. An example of how to use this class in your license validation class is illustrated below.

C#: LicenseAliasValidation aliasValidation = new LicenseAliasValidation(this);
if (!aliasValidation.Validate())
{
this.LastError = aliasValidation.LastError;
return false;
}
VB.NET: Dim aliasValidation As New LicenseAliasValidation(Me)
If Not aliasValidation.Validate() Then
Me.LastError = aliasValidation.LastError
Return False
End If

Internet Validation

When possible, using an Internet source to validate a system's clock is a good way to determine whether or not the system clock is reporting a reasonably accurate time.

SOLO Server Web Services

When your application submits requests to SOLO Server's web services (including XmlActivationService, XmlLicenseFileService, and XmlNetworkFloatingService), SOLO Server checks the requesting system's date and time. SOLO Server is configured to require the requesting system's date and time to be within 24 hours of the server's date and time. If you self-host SOLO Server or use SOLO Server Custom URL or Dedicated URL, you have the option contact us to obtain additional information on adjusting this requirement. Whenever the requesting system is outside of SOLO Server's requirement, the web service response will reflect an error with a result code of 5022.

Network Time Protocol

Network Time Protocol (NTP) is the protocol used by the vast majority of computers to synchronize the system clock with an Internet time server. Although there is some benefit of validating time against an additional external source, using NTP has several disadvantages and challenges, including:

NTP servers are generally only meant to be used for synchronization, and may not be able to cope with the load imposed by applications validating the system's clock. If you are not hosting your own Internet time server for your application to use, then you should contact the server operator and obtain permission before using any server for validation in your application. It is very important to avoid the same controversy from inadvertent misuse of NTP as experienced by others in the past.
The NTP protocol does not offer any integrity validation, so there is no practical way to ensure the server you intend to use for validation is actually the one which responded to your application's NTP requests.
Since the NTP protocol is a sessionless user datagram protocol (UDP), it is not reliable as TCP-based protocols. Therefore, it is not uncommon to see attempts to reach out to NTP servers fail, especially when the request originates behind a router, firewall, or proxy server.
PLUSManaged only supports this type of validation in Windows, using the .NET Framework, and does not support this validation under Mono and other platforms.

If you opt to use NTP validation, it can be implemented very easily with PLUSManaged by adding a call to AddTimeServerCheck in your license implementation's constructor, and then calling the CheckTimeAgainstServers method in your license implementation's Validate method.

Automatic Recurring Payments

SOLO Server's Payment Plans allow you to offer subscription licenses, maintenance and support subscriptions, payment over multiple installments, and more. Learn more about how to configure SOLO Server for Payment Plans.